Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1101022ybb;
        Sat, 28 Mar 2020 18:34:39 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvA3Tr83JmmPQBxZXBdqksWRzHY3vhHyl9GXf+ixkknhK44OJBP2Nbnmt+cIg8DfDi0kdE2
X-Received: by 2002:aca:4046:: with SMTP id n67mr3824622oia.156.1585445679710;
        Sat, 28 Mar 2020 18:34:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585445679; cv=none;
        d=google.com; s=arc-20160816;
        b=wz3pUwTSsiGN2/6zHyzOaFOMoJuHmTeo/MtNoxgrvCQCX80yrQnxRA0NbjmrYvxfqN
         upVKarra3XnxLQJdwKhXnahlInbchg9BegsOQ35b279nNpeR4f5WyXhHNnz1QVVjTL6J
         i8VUm1c2h69EaOjXw4OdU+WsrpwtMTxTiL8MTSZ/Tt2/APy36IeAYwis03Qt30yWpmz5
         R6YwEamEtnnkJIty8uO5qiksfWa+beA0TX+HlCFQnGNCrm5gqY7JikPAPRlkqGryapD+
         CvDLHcVeP0ZD3jTYh/xHJTPw3qJkn9+HfdtgsVo9pd2IPc2rXwERyj5CQEfDwSY8zxve
         oLAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=xEq14gH8MJ7hv3D8jymXXOPTR88QaLueWbAQX3wPTCI=;
        b=iAMQrsvDZWtqzdZJH0ic3WT9UndXw3SXpS8KiLh7/GXdacUhVfBd5V12zxdWcFdY9h
         9QJzDnvPhpEBI7ttKaL2BG/BjtxTO/j4FA4LNhbdfwYG2g8jAmAClYwr+TwK9ekhZX2f
         jRaB55/a/J2BzhgRxRyqpoAzm2jhu/ON1H84H8tRA6fcDGqH+7p/jk31z2NM/h1X9oSp
         7tpZZoP+ONwd4MzdVhqDrEapgQokp8GHBHTo2ZJ0LMW+Qe2dira3qS+hoLktjIOn0EoD
         CD2WRrpjy84x4hwCJA08s6rr6iuziFPFmchuon/1tCOyyKCy5I3sMXW9UZwn1M9Hq/us
         EIug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=g2CrChD5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m25si4181786oic.230.2020.03.28.18.34.13;
        Sat, 28 Mar 2020 18:34:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=g2CrChD5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727774AbgC2BEx (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Sat, 28 Mar 2020 21:04:53 -0400
Received: from mail-io1-f66.google.com ([209.85.166.66]:37340 "EHLO
        mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727491AbgC2BEx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 28 Mar 2020 21:04:53 -0400
Received: by mail-io1-f66.google.com with SMTP id q9so13951806iod.4;
        Sat, 28 Mar 2020 18:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xEq14gH8MJ7hv3D8jymXXOPTR88QaLueWbAQX3wPTCI=;
        b=g2CrChD5giKWudtUUGe7Dk4fpmJs/Q1hRfTmTMy7boQPFpx8ZRml/KS883rNanHpRn
         2ZqgiC854Qu40PaAk1IvSSbZdvemDyOcwZ1RxhJUI3MBWOBlzZjgmetBlDEKRxNd/YfD
         Ls1La1vTqcezL3Jwji56DbSpl7ugEsHjLFF+ZZjZ6UmVDj11Lbe0msce8dsMQaTNfR1m
         uvFlL9Sb4vDcuIm3kx68geUs8fcF3Zne24rlOOAyXaJY9I8dEqcv+jmzmoZ1/eOC3oUq
         WwBRICbuAPjeM6d2AGNSRoEm+J6wfiq0W/l/mE3MHy0Pya1qm7LKjtBdNlXYx88EVr/3
         UsgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xEq14gH8MJ7hv3D8jymXXOPTR88QaLueWbAQX3wPTCI=;
        b=ep0sJ5Twt5k1nrdLNi89NF6h+WmiHjv5aeXikYKbwLhFNLN28GKTu6LqlArC0Deezm
         LZ/8UQyp1VmZk8wf/XzEx/KWM4wMpqnXYK5Mk+2fMSQibTWzIuauHXXPSizyZZA5Tg6l
         WewisFjs5umDYE+MxQNrj9uURKRkS/mzCEcPKqcWKdSCoXGNcNbaFCdQAdqKd1+qi4bi
         JBBbXxTEj0JyK4ZFrdKp8TXDJTZAi13AbGHRDG+Tjcf+ApQetNaeERkFc5ooTorTTaIR
         jXlIwSX655ULT3vLOsEYeF6sm/XD0ImLIyJUW9OIPYqr45+g3jDEPrAnPSlAecPrk7Ns
         kDYg==
X-Gm-Message-State: ANhLgQ0uIDyhtIZ7hz+EcAA0V+5haX/21uv5pRv2mBla7ZiSDqHR/Dsm
        XUDRbgU9V4+e2EhU3jvwYaWfakury5e11DvOTpQ=
X-Received: by 2002:a6b:5406:: with SMTP id i6mr4908695iob.188.1585443892387;
 Sat, 28 Mar 2020 18:04:52 -0700 (PDT)
MIME-Version: 1.0
References: <20200328151511.22932-1-hqjagain@gmail.com> <20200328181259.GA24335@ravnborg.org>
In-Reply-To: <20200328181259.GA24335@ravnborg.org>
From:   Qiujun Huang <hqjagain@gmail.com>
Date:   Sun, 29 Mar 2020 09:04:41 +0800
Message-ID: <CAJRQjoeOfiyacHcFfQOop5jJ9MspDKL8HTjQeAY-_Wbm9PnFGg@mail.gmail.com>
Subject: Re: [PATCH] fbcon: fix null-ptr-deref in fbcon_switch
To:     Sam Ravnborg <sam@ravnborg.org>
Cc:     Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Daniel Thompson <daniel.thompson@linaro.org>,
        ghalat@redhat.com, dri-devel <dri-devel@lists.freedesktop.org>,
        Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Mar 29, 2020 at 2:13 AM Sam Ravnborg <sam@ravnborg.org> wrote:
>
> Hi Qiujun
>
> Thanks for looking into the sysbot bugs.
>
> On Sat, Mar 28, 2020 at 11:15:10PM +0800, Qiujun Huang wrote:
> > Add check for vc_cons[logo_shown].d, as it can be released by
> > vt_ioctl(VT_DISALLOCATE).
> >
> > Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com
> > Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
> > ---
> >  drivers/video/fbdev/core/fbcon.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index bb6ae995c2e5..7ee0f7b55829 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -2254,7 +2254,7 @@ static int fbcon_switch(struct vc_data *vc)
> >               fbcon_update_softback(vc);
> >       }
> >
> > -     if (logo_shown >= 0) {
> > +     if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) {
> >               struct vc_data *conp2 = vc_cons[logo_shown].d;
> >
> >               if (conp2->vc_top == logo_lines
> > @@ -2852,7 +2852,7 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines)
> >                       return;
> >               if (vc->vc_mode != KD_TEXT || !lines)
> >                       return;
> > -             if (logo_shown >= 0) {
> > +             if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) {
> >                       struct vc_data *conp2 = vc_cons[logo_shown].d;
> >
> >                       if (conp2->vc_top == logo_lines
>
> I am not familiar with this code.
>
> But it looks like you try to avoid the sympton
> which is that logo_shown has a wrong value after a
> vc is deallocated, and do not fix the root cause.
>
> We have:
>
> vt_ioctl(VT_DISALLOCATE)
>  |
>  +- vc_deallocate()
>      |
>      +- visual_deinit()
>          |
>          +- vc->vc_sw->con_deinit(vc)
>              |
>              +- fbcon_deinit()
>
> Would it be better to update logo_shown
> in fbcon_deinit()?
> Then we will not try to do anything with
> the logo in fbcon_switch().
>
> fbcon_deinit() is called with console locked
> so there should not be any races.

Get that, thanks.

>
> I did not stare long enough on the code to come up with a patch,
> but this may be a better way to fix it.
>
>         Sam